Authorization plugin for package installation

Is it possible to allow installation of specific packages/profiles without admin credentials by modifying authorization rights?.I was able to allow installation for all by modifying the installation right in authorizationdb.Is it possible to receive any information about package requesting for installation inside auth plugin so that i would be able to evaluate and allow.


Solution 1:

Missing Intent

Unfortunately, the information needed to evaluate if an installer package is whitelisted is not available during requests to obtain an system.install.* right.

Calls to macOS's Authorization Services do not include details about what the authorization will be used for.

Even if you implement a custom Authorization Plug-in, the authorization request will not mention what package is being installed.

Use plug-ins to extend macOS authorization services to perform authorizations in a new way or to implement a new policy that is too complex to be implemented entirely with the authorization policy database.

What Next?

Here are some options:

  • File a bug report directly with Apple;
  • Write a SMJobBless helper to grant administrator rights on-demand; see UpdateCore for an example administrator privileged helper tool that installs software;
  • Consider third party software that can provide a "self serve" service for your users.

Solution 2:

What you ask is possible in several ways. We use management frameworks like JAMF Pro or Munki to script and manage arbitrary changes and installations so that no user needs to download / package / install or prompt. These are powerful distributed automation options, but they cost time and salary and experience and licensing.

You can roll your own more minimal installer, Most require a bit of skill if you can’t change your installer to just run as non-admin, but they are lighter cost and weight than an MDM suite solution. See homebrew for a great example of an installer that needs admin only at setup and not when installing new code. If you need admin installer and can’t use brew cask to package your apps, a dependable way is to write a daemon that runs as admin. Microsoft Office, Adobe and many other software does this, the installer system runs at launch or as a daemon and gets admin privileges and then uses the OS to run periodically.

This avoids the design intent for the installer to ask for admin at the last moment when installations trigger. Following the design intent is generally more secure and far less work for you and your customers.